Splunk Enterprise Security Reviews

We use Splunk to monitor our private cloud, data center, and other applications.

I don't like Splunk very much and find that it does not have many useful features.

Splunk works based on parsing log files.

I don't like the pipeline-organized programming interface.

I find the graphical options really limited and you don't have enough control over how to display the data that you want to see.

I find that the performance really varies. Sometimes, the platform doesn't respond in time. It takes a really long time to produce any results. For example, if you want to display a graph and put information out, it can become unresponsive. Perhaps you have a website and you want to show the data, there's a template for that, or it has a configuration to display your graphics, and sometimes it just doesn't show any data. This is because the system is unresponsive. There may be too much data that it has to look through. Sometimes, it responds with the fact that there is too much data to parse, and then it just doesn't give you anything. The basic problem is that every time you do a refresh, it tries to redo all of the queries for the full dataset.

Fixing Splunk would require a redesign. The basic way the present the graphs is pipeline-based parsing of log files, and it's more of a problem than it is helpful. Sometimes, you have to perform a lot of tricks to get the data in a format that you can parse.

You cannot really use global variables and you can't easily define a constant to use later. These things make it not as easy to use.

I have been using Splunk for approximately one year.

I use Splunk at least a couple of times a week.

I'm not sure about scalability but to my thinking, it's not very scalable. I know that it's probably expensive because it relies a lot on importing log files from all of the systems. One of the issues with respect to scalability is that there's never enough storage. Also, the more storage you have, the more systems you need to manage all the log files.

Splunk is open for all of the users in the company. We might have 1,000 IT personnel that could access it, although I'm not sure how many people actually use it. I estimate that there are perhaps 200 active users.

I have not been in contact with technical support from Splunk.

In this company, we did not previously use a different monitoring solution.

I was not involved in the initial setup.

We have a DevOps team that is implementing Splunk and they are responsible for it. For example, they take care of the licensing of the product.

We have a team at the company that completed the setup and deployment.

The other product that I've seen is Elastic, and I think that it would be a better choice than Splunk. This is something that I'm basing on performance, as well as the other features.

My understanding is that as a company, we are migrating to Azure. When this happens, Splunk will be decommissioned.

Overall, I don't think that this is a very good product and I don't recommend it.

I would rate this solution a five out of ten.

The primary use case is computer network defense.

It is very important that Splunk ES provides end-to-end visibility in our environment. Part of the solution is bringing the user closer to the resolution.

The integration with other risk-based solutions, such as the risk matrix applications included with Splunk, is helpful. It helps us identify the risks without having to delve into other resources.

Splunk helped improve our company's ability to ingest and normalize data. That's the primary use of Splunk Enterprise or Core. For ingestion, we've been using Splunk Enterprise for about six or seven years before we had ES. So, that was the primary reason we got it.

In terms of the risk-based part, Splunk improved our ability to ingest and normalize data. Initially, we used Splunk Enterprise Core for aggregation and correlation. We didn't have the risk-based reporting.

I'm very impressed with Splunk's ability to identify and solve problems in real time. And I look forward to the new version improving the product.

We've been able to discover things we didn't see before. So, there's more that we discover now.

Splunk ES provides us with the relevant context to help guide our investigation. It goes back to the time to resolution. We have to do much less investigation because it's already built-in alerting. 

Risk-based reporting and anomaly detection are valuable features.

The biggest advantage is the reduced time to resolution. Before, it took us up to days to resolve issues, and with Splunk, we've been able to move that down to hours or even minutes in some cases.

I was just at the conference, and they spoke about and demoed a new version of Splunk. It looked like some pain points are resolved in the new solution, such as not having to go to so many different panels. Like to streamline or improve the UI. 

In terms of training. I find that some things about Splunk aren't well-explained. I see features and then go to the website but don't find good explanations. However, I can always call support and get help.

We purchased ES four years ago.

If properly built, I'm very impressed with the stability of Splunk ES. We initially stood it up on a single server, and to make it more robust, we had to break out of that single server concept to make it more resilient. 

The scalability is very good. That comes from our experience of having to scale out, and Splunk's documentation on scaling up is very good.

Every time we've used Splunk support, it's been very good. We don't have any in-house Splunk engineers, but headquarters has some they can send to assist us, so I can call on them. It's a very good support chain.

If there is some room for improvement, it is in terms of training. I find that some things about Splunk aren't well-explained. I see features and then go to the website but don't find good explanations. However, I can always call support and get help.

Positive

My company is very impressed with Splunk. We've used several SIEMs before, and Splunk has been the most efficient one.

There was one called Intelotactic, and another was called Secureworks. I believe both of those are gone now.

Initially, with Splunk, we had a steep learning curve. It went from a fairly low ingestion point to figuring out how much data we needed to get to a certain level. Even when we got to a level we were happy with; we found that we were ingesting a lot of noise in the data. We had to figure out ways to reduce that noise.

We bought the maintenance along with Splunk ES and used Splunk engineers to assist us in the setup. It was a very good process. It worked out very well for us.

The knowledge of the individual sent to us was impressive.

Deployment model: Ours is all on-prem currently, but we are headed towards a cloud solution.

I would rate it a nine out of ten. 

We use the solution to build correlation searches around insider threats and exultation of data. We also use it for DLP (data loss prevention) and to get more visibility on what's happening in our environment that could increase risk.

The solution's data aggregation has allowed our organization to unify a lot of inputs from various tools in one space and to be able to search from there.

The solution's most valuable feature is risk-based alerting, focusing on building out user risks for individuals throughout the enterprise.

It is important to our organization's security that Splunk Enterprise Security provides end-to-end visibility into our environment.

Splunk Enterprise Security's ability to find any security event across multi-cloud, on-premises, or hybrid environments is good. It's more about how you configure it and how well your company is equipped to provide and allocate resources to make the best use of the tool.

It has helped reduce our mean time to resolve.

The tool should include more real-world use case examples built out either through videos or in the community. These should not just be examples of how it can be implemented but of how previous solutions have been transitioned to new solutions and how they provide a different and better approach.

I have been using Splunk Enterprise Security for one to three years.

Splunk Enterprise Security is a very stable solution.

The solution’s scalability is based on the cost.

Splunk Enterprise Security is just a tool you can use, and then it's really up to the customer how they leverage it best.

Overall, I rate the solution a six out of ten.

We use it in our company to log everything. We use tools like XSOAR to take appropriate actions to mitigate threats.

Splunk Enterprise Security has aided our organization in the way it provides great visibility and helps with what our company's users do with it.

I like how easy it is to integrate the logging of all of the various nodes. The product also offers nice connectors. Other features include the product's ability to allow users to customize their dashboards, signatures, metrics, and other elements, making it a very valuable and reliable tool for my organization.

I don't know if there is a need for any improvements in the product since it is one of my peers and not me who is directly responsible for Splunk Enterprise Security in our company, so I will have to ask him if there are any requirements associated with the product.

The price may be an area of concern where improvements are required. Splunk Enterprise Security doesn't indulge in whitewashing, but Cisco does it too much.

I have been using Splunk Enterprise Security for two years.

I have not seen any outages in the product in the past two years that it has been running in our company, so I think it is good when it comes to the stability part. I have had an experience with the vendor during which there were two products, one from the vendor and the other from Splunk Enterprise Security, and we saw that one of them was not able to capture all the logs appropriately, after which our company had to figure out whether it was Splunk API or the vendor's tool.

I have never used the product's customer support. My peer has contacted the product's technical support team, and it has worked very well for him.

My company used to use one of the spin-offs from IBM. My organization has used IBM QRadar.

Though I am not sure about the deployment model, I feel that since it may not be on Azure, the product must be deployed with the help of AWS.

I have experienced an ROI revolving around the product's dashboards, metrics, and other such related stuff, but I don't know how to quantify them. My peer would be the best person to speak about the product's ROI.

My peer would be aware of the product's pricing part.

There was a pre-vendor selection approach my company followed, but I don't remember the names of the products involved.

It is pretty important how the solution provides end-to-end visibility in our company's environment because it provides opportunities for shadow IT and for people to do things that they should be doing. If one is appropriately logging in, the product gives us a view and helps our company discover things that we didn't know about.

In terms of Splunk Enterprise Security's ability to help our company find any security events across multi-cloud, on-prem, or hybrid environments, I will have to say that since we are still using it, it has to be effective. If it wasn't effective in the aforementioned area, my peer would have found something else in the product. I don't have enough personal insight into Splunk Enterprise Security's ability to help our company find any security events across multi-cloud, on-prem, or hybrid environments.

Splunk Enterprise Security has helped to reduce my company's alert volume. Our organization does get alerts, and we are trained for them. I will have to ask my peer to give me the exact number associated with the alerts my company receives.

The solution provides the relevant context that helps guide our company's investigations. The context information has impacted our company's investigation process as it definitely speeds it up because we have only a single source from which we can get that, and it helps us understand what may have taken place in a particular incident that we are looking at in our organization. In our company, if we look at any of the other services, we can see whether a particular or specific user touched just a single system or ten different systems.

The solution has helped reduce my company's mean time to resolve, but I don't have numbers to explain it.

The reason why I rate the tool a nine is because of the flexibility it provides to go back to the dashboards. The flexibility to be able to customize standard dashboards and other standard things that I want to be able to grab and have them pop out and then be able to create some sort of an action against those kinds of things that I want, of which the first is the standard reporting part, which is very valuable.

To those planning to use the solution, I would suggest that they need to get Splunk to work hard on the pricing part. People also need to encourage Splunk to stay true to its roots because I have seen what has happened to some of the other tools in the market. Splunk has been acquired by Cisco. You want Splunk because of its capabilities, not because of what Cisco wants to give you.

If I consider my company's needs, I rate the overall product a nine out of ten.

The use cases are mainly around monitoring for our clients' security operation centers and correlation of events and analytics for incidents that have been identified.

It has really improved things for our clients by reducing false positives. Most of the time, analysts end up wasting their time with false incidents, and that has been drastically reduced by Splunk.

It also definitely helps speed up your security investigations.

The dashboard and reporting are very good. Our clients monitor multiple cloud environments and Splunk helps because, in general, monitoring multiple cloud environments is definitely difficult and very complex. It provides very good visibility in a hybrid cloud environment, and you can build custom utilization APIs using Splunk.

The solution is also very good in its threat-hunting capabilities and anomaly detection. It uses an AI-based detection system to identify real-time anomalies and provides complete visibility into the network.

And you can feed multiple threat sources into Splunk and the Threat Intelligence Management feature gives you information about current or potential attacks. It provides complete security support in the threat intelligence space. It helps your administrator to correlate indicators of compromise from threat intelligence databases and feeds.

Also, the Splunk Mission Control feature, which is mainly for Splunk Enterprise Security cloud users, provides a unified and simplified security operations experience for SOC analysts.

We also use the solution's Threat Topology and MITRE ATT&CK framework feature. That's something you need for cyber breaches to contain a threat. This feature comes into play when you need to mitigate an incident in your environment.

While there aren't any major areas where the solution has to be improved, there are certain integrations that are still not available. I would specifically like to see legacy applications integrated. Splunk has integrations with AWS, Azure, and other cloud providers, but when it comes to legacy applications, it is difficult to do a Splunk integration.

We have been working with Splunk Enterprise Security for one and a half years.

It's a very stable solution. 

It is very highly scalable.

The technical support is very good.

Positive

I used IBM Security QRadar. The main reason for switching is that Splunk has the scalability to handle bigger enterprise logs. Log management is the biggest issue in any SIEM. Splunk is able to rapidly grow its capacity.

Our clients' implementations are mostly on-prem and in the cloud.

Splunk is definitely not a cheap solution. It is an expensive product.

If a customer is evaluating SIEM solutions and is considering cheaper products, it depends on the customer's budget and use cases. For a large, enterprise customer with critical infrastructure that needs to be monitored 24/7, obviously, the cheaper solutions may not have the capacity to handle the huge volume of data. Splunk has the SIEM and the scalability as well as visibility features. When you want to monitor your applications and how they are performing, that is where Splunk is very strong.

In terms of maintenance of Splunk, you need to have an IT administrator monitoring it at all times.

When it comes to a large, enterprise customer's critical infrastructure, Splunk is one of the best solutions to use in a security operations center. It has multiple advantages, such as the dashboard that provides complete visibility, and a threat detection system with very advanced features. It is very valuable for any company that wants a good protection system.

You should definitely consider Splunk as one of your options for your SOC.

We primarily use the solution for monitoring, intrusion detection, and prevention. It is mostly a lot of security and network and server monitoring.

It automated the way we look at intrusion detection and prevention. It automatically picks up intrusion attempts within our environment.

The monitoring and the security functionality are the most valuable aspects of the solution.

It is easy to set up.

It is very scalable. 

You can basically make it do whatever you want, from log management and monitoring security, intrusion detection, prevention, and linking to your antivirus to report to it. Having kind of a single point where everything feeds in and create dashboards however you like is useful and works with how many ever systems you want in that dashboard.

I've not come across any areas that need improvement.

I'd like to see more integration with more antivirus systems.

We've used the solution for roughly, one year and a half years.

The solution is highly scalable.

We have four people that use the solution and they were split between infrastructure and security.

We don't have a plan to increase usage as we're almost at capacity with our servers, for our purposes. I don't think we're going to scale it as we're using everything we can from anything we need. However, it's intensely used for security purposes.

Technical support is perfect.

Positive

The initial setup was straightforward. It was done by Splunk entirely. After that, the configuration took a bit of time, however, we bought professional service days from them to help us build the configuration.

The full deployment took about five months due to the fact that we have quite a lot of servers.

I'd rate the experience a five out of five in terms of ease of execution. 

The amount of people you require for deployment and maintenance depends on the complexity of the environment. It can be run and managed by a single person if the environment is not highly complex. If you're talking about probably less than 200 servers, and a couple of network endpoints, one person can manage it easily after it's been configured. Otherwise, I wouldn't be able to say. In more complex environments where you've got several geographical locations, several data centers in geographical locations, and so on, you'd probably need more than one.

Splunk handled the implementation. It was a joint effort between them bringing the knowledge and us doing the actual work.

It's a great investment, especially if you want to strengthen your security stance.

It's yearly a yearly license on a three-year contract. On a three-year contract, you get a discount basically - rather than putting it on a rolling yearly contract.

On pricing, if I base it on the functionality of the system out of the box, I would rate it five out of five.

They have several prepackaged modules you can purchase. For example, for the security type, they have Security Enterprise, with the default products getting security essentials. With Infrastructure, the same. We've got an ITOps enterprise, which again, is payable on top of the standard license. 

It's pretty much how much you can actually build in-house. The difference between AT&T, LogRhythm, and Splunk, while AT&T and LogRhythm are pretty out of the box (it's click and configure), Splunk is highly configurable. 

You can make it do whatever you want to, as long as you know how to edit the configuration files. What ITOps and Security Enterprise do, instead of you having to build all that from the ground up, so the dashboards, the logic behind it, the configuration files, and so on, become prepackaged and pre-installed.

We did test AT&T and LogRhythm as well. We chose this solution as a balance between cost and functionality.

AT&T was a great security tool, however, it lacked a lot of the infrastructure things that Splunk does, in terms of server monitoring and network monitoring. LogRhythm did have a dose, however, at a very prohibitive price. It was almost twice the cost of Splunk.

We've got a version of Splunk Cloud. I'm not sure of which version.

I'd advise users to get more professional service days. You get five professional service days with the product, when you buy the license, usually. Definitely get at least ten more.

You need to have some strategy before. You definitely need a strategy. Before you do your PS days, definitely have a look at your strategy and make sure you've arranged your questions rather diligently. Based on how you think you're going to use the system, where you are where you want to be, just box them into separate parts - security, infrastructure, and monitoring. It's going to make life a lot easier when you talk to consultants as the consultants are very, very knowledgeable. However, you need to ask the right questions.

I'd rate the solution ten out of ten.

Our primary use cases are for detection and remediation.

The benefits we've seen from Splunk is that we can promote it to our customers. The second benefit is that it works. It does what it's purported to do, and the support is more than adequate. 

The most valuable feature is that it brings all of the components necessary to identify, analyze, and respond together.

It's pretty important that Splunk provides end-to-end visibility into your environment. As in any product that one purchases to fulfill a function, we want to recognize where it came in, who it affected, and what the challenges are that need to be met in order to resolve something, both immediately and also to make sure that it doesn't replicate in the future. Splunk does a good job of being able to do the former half. Dealing with issues requires tier-three support and above and it takes time. You can work through it with the help of your vendor team.

I would rate them an eight out of ten. It's not so much the problem of the application itself, although there are always improvements that can be done. There are a lot of moving parts that need to be added in and if you don't have the information that you need, especially within identity and inventory, then that can be an added challenge when you have to start making imprints based on what you do know.

Splunk Enterprise Security provides us with the relevant context to help guide our investigations. There are a number of different standards that can be presented, which is beneficial. Some customers like to have the information that they receive in one format. The driving factor is that when you work with federal customers, some of them want it in one format. The response will be in one format as opposed to another. 

Splunk has helped to improve my company's business resilience. It's an active component in ensuring that we are vigilant against intrusion and detecting it.

Splunk is such a large product. Allowing it to be more easily used by people who have not had a lot of training on it would be an improvement. That's something that they're accomplishing with their current version, although I haven't had an opportunity to learn much about it. With AI capabilities coming on board, a lot of that will alleviate the minutiae that people need to know in order to resolve problems as they come up.

Splunk's ability to predict, identify, and solve problems in real-time is a work in progress.

I have been using Splunk Enterprise Security for the past four years.

Aside from the fact that it can be a resource hog, I'm satisfied with the stability. I don't have too many problems except for a few occasions when we have a threat intelligence file blow up a drive because there's not enough room. It might be because a complete configuration has not been implemented. 

I like the fact that it can be tweaked, but a lot of the various configurations for how long data is held or how long particular components of investigation are held. 

I encourage users to use the vendor management team and cultivate a relationship with them. I have worked with companies who had support that I would rate 11 out of 10. I would rate Splunk an eight out of ten because as any large growing company, they have challenges with keeping the talent necessary, who are not only educated to evaluate a problem and pass it on or solve it themselves.

Positive

The largest challenge with the setup is that it has so many different components. The environment that we're in is a multi-tenant. Enterprise Security with all of its components is huge. If you're using something like a deployment server you can't break it up. It makes it rather unwieldy. I'm sure that there are workarounds that have not been implemented in-house.

Splunk provides more than the people who pay for it realize. I had a few exercises in presenting ROI and benefit-cost analysis and I have been able to demonstrate where it has performed superior to other options.

I was deeply distressed when they went away from their perpetual license.

We evaluated Splunk's typical competitors. We went with Splunk because Splunk has the underlying capability of not only ingesting anything and storing it using their bloom filters and whatnot in order so that you can do sparse and large searches relatively quickly. It also has a wonderful presentation layer, which can basically plug into many other systems. I find Splunk to be a veritable Swiss Grey knife of capabilities.

I would rate Splunk Enterprise Security an eight out of ten because there's always room for improvement and because it can be difficult to learn.

Our primary use case is to find brute-force attempts on our systems. 

We use it for security purposes, to find malicious activity, and to find misusage of our business platform.

The main benefits we have from Splunk Enterprise Security are the alerts with which we can manage the searches and the notables which can be good for documentation.

Identity management is the most valuable feature. 

Its ability to find any security event across any environment is useful if you use the risk parameter. If it can correlate with an identity or an asset, then correlations between such events are up to the analyst. 

Splunk Enterprise Security helped improve our organization’s ability to ingest and normalize data.

Splunk helped to reduce our alert volume by 53%. We work based on an on-call process. The analyst who is on call can use Enterprise Security to see what alerts they have and work from there.

If you load it correctly, Splunk will provide us with the relevant context to help guide our investigations. It made it easier. 

Splunk Enterprise Security helped improve our organization's business resilience.

In terms of its ability to create, identify, and solve problems in real-time, if the problem arises, we can go and look at Splunk, but if it's happening in real time and no one reports the issue, then it doesn't work in real time. 

It helps consolidate networking, security, and IT observability tools but it doesn't have such a big impact on our company. 

It should work better out of the box and have better use cases that would not require my intervention. For example, if I install an antivirus and endpoint protection on my computer, I don't need to do much. But to get any value from Splunk, I need to work hard on it. 

In the next release, they should include machine learning-based rules that would streamline the process of finding anomalies.

For real-time detection, I would not say that Splunk is the best. If you experience a problem and go to Splunk to look at the dashboard, then it's in real-time. Because of the way Splunk works, I wouldn't get an alert in real-time. 

I have been using Splunk Enterprise Security for five years. 

On newer servers, it can be stable. On our servers, it can take a while. We need to re-enter when we press selections. 

It is scalable. You can add more servers and analysts. 

Support depends on the issue. Sometimes they help but most of the time, I have to solve the issue on my own. 

I would rate support a six out of ten. Usually, it can take time until I get to someone who can help. The diagnostics aren't always accurate. I once had an issue where they replaced a certificate that we weren't using, so it didn't solve the problem. It can take a few iterations to solve the problem.

Neutral

The deployment is fine for me, but it is not really straightforward. I would suggest simplifying the process. For example, the whole certificate part is not secured by default. I would recommend fixing that.

We used EMET Computing for the integration. They are fine. 

We do see ROI. We can deduce the ROI from finding the damage that misusing our business platform is causing. 

I think that the price can be too high sometimes, especially for the cloud. We get a lot of logs that are meaningless. For example, if we are using a firewall, we get a message for every session or packet. A lot of those connections are the same. We pay a lot of money on the license and on logs that are the same. If there was a way to aggregate them, the cost of the license would be reduced.

I would rate Splunk Enterprise Security a six out of ten. It is useful but it doesn't add that much value on top of standard Splunk. Because of our use cases and environment, we don't use all of the features it has. Nevertheless, the value it provides isn't so different from Splunk Core.